<html>
<head><meta charset="utf-8"><title>docs.rs CI secrets · general · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/index.html">general</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html">docs.rs CI secrets</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="233244654"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233244654" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233244654">(Apr 05 2021 at 23:22)</a>:</h4>
<p>josh should i be worried that the build log there is spitting warnings about low security in the rust project?</p>



<a name="233244714"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233244714" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233244714">(Apr 05 2021 at 23:23)</a>:</h4>
<p>uhhh I don't know lokathor that's a good question <span aria-label="joy" class="emoji emoji-1f602" role="img" title="joy">:joy:</span></p>



<a name="233244801"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233244801" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233244801">(Apr 05 2021 at 23:24)</a>:</h4>
<p>hey <span class="user-mention" data-user-id="121055">@Pietro Albini</span> on a scale from no to yes how concerning is this</p>
<div class="codehilite"><pre><span></span><code>docker login -u AWS -p *** https://890664054962.dkr.ecr.us-west-1.amazonaws.com
WARNING! Using -*** the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
</code></pre></div>



<a name="233245055"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233245055" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mark Drobnak <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233245055">(Apr 05 2021 at 23:28)</a>:</h4>
<p>Definitely go with the stdin route if possible. Storing passwords anywhere is a big no-no usually</p>



<a name="233245075"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233245075" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233245075">(Apr 05 2021 at 23:28)</a>:</h4>
<p><span class="user-mention silent" data-user-id="218805">Mark Drobnak</span> <a href="#narrow/stream/122651-general/topic/does.20docs.2Ers.20support.20-Zbuild-std.3F/near/233245055">said</a>:</p>
<blockquote>
<p>Definitely go with the stdin route if possible. Storing passwords anywhere is a big no-no usually</p>
</blockquote>
<p>well in this context "store" is just as long as the CI runner executes</p>



<a name="233245084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233245084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233245084">(Apr 05 2021 at 23:29)</a>:</h4>
<p>the whole container gets deleted at the end</p>



<a name="233247472"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233247472" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> The 8472 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233247472">(Apr 05 2021 at 23:58)</a>:</h4>
<p>If 3rd parties can submit PRs which modify the workflow and run CI with the modified CI they could probably exfiltrate the secret. So the secret's value should be kept low. read-access to a single docker repo</p>



<a name="233247536"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233247536" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233247536">(Apr 05 2021 at 23:59)</a>:</h4>
<p>can't all public repos be read without any secret anyway?</p>



<a name="233247975"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233247975" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> The 8472 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233247975">(Apr 06 2021 at 00:03)</a>:</h4>
<p>I did assume it's private</p>



<a name="233249659"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233249659" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233249659">(Apr 06 2021 at 00:26)</a>:</h4>
<p>The warning itself isn't a problem afaik, and the secret should be in GitHub's secret store. It shouldn't be a cause for concern, but regardless, I strongly recommend any such questions should go through security disclosure process ideally <a href="https://www.rust-lang.org/policies/security">https://www.rust-lang.org/policies/security</a> IMO</p>



<a name="233292838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233292838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233292838">(Apr 06 2021 at 09:49)</a>:</h4>
<p><span class="user-mention silent" data-user-id="330154">The 8472</span> <a href="#narrow/stream/122651-general/topic/docs.2Ers.20CI.20secrets/near/233247472">said</a>:</p>
<blockquote>
<p>If 3rd parties can submit PRs which modify the workflow and run CI with the modified CI they could probably exfiltrate the secret. So the secret's value should be kept low. read-access to a single docker repo</p>
</blockquote>
<p>that doesn't work: the secrets needed there are not available on PR builds, but only in branch builds (which require someone with write access to the repo)</p>



<a name="233292955"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233292955" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233292955">(Apr 06 2021 at 09:50)</a>:</h4>
<p>given github actions's security model and other mitigations we implemented it shouldn't be possible at all to exfiltrate any kind of secret with PRs</p>



<a name="233293004"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233293004" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233293004">(Apr 06 2021 at 09:50)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> <a href="#narrow/stream/122651-general/topic/docs.2Ers.20CI.20secrets/near/233249659">said</a>:</p>
<blockquote>
<p>The warning itself isn't a problem afaik, and the secret should be in GitHub's secret store. It shouldn't be a cause for concern, but regardless, I strongly recommend any such questions should go through security disclosure process ideally <a href="https://www.rust-lang.org/policies/security">https://www.rust-lang.org/policies/security</a> IMO</p>
</blockquote>
<p>please go to the security policy route if anyone manages to break this :)</p>



<a name="233293086"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233293086" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233293086">(Apr 06 2021 at 09:51)</a>:</h4>
<p>also, the warning about storing the credentials on the file is not really important, as the VM gets destroyed as soon as the job finishes and that credential is temporary anyway</p>



<a name="233293259"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/docs.rs%20CI%20secrets/near/233293259" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/docs.2Ers.20CI.20secrets.html#233293259">(Apr 06 2021 at 09:52)</a>:</h4>
<p><a href="https://github.com/rust-lang/simpleinfra/blob/fefff4d492c02388091c543ef8921c4fd98e0fb0/github-actions/upload-docker-image/index.js#L30">this is the line</a> if someone wants to change that command to <code>--password-stdin</code>, but it's really low priority</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>